hxxps://tr[.]ee/wOhrBUwO56

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2023, 11:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://tr.ee/wOhrBUwO56

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133446925118265052"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
1900	chrome.exe
1900	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe
Token: SeShutdownPrivilege	768	chrome.exe
Token: SeCreatePagefilePrivilege	768	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe
768	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 4736	768	chrome.exe	65
PID 768 wrote to memory of 4736	768	chrome.exe	65
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 2780	768	chrome.exe	90
PID 768 wrote to memory of 1104	768	chrome.exe	92
PID 768 wrote to memory of 1104	768	chrome.exe	92
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91
PID 768 wrote to memory of 5024	768	chrome.exe	91

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://tr.ee/wOhrBUwO56
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff940719758,0x7ff940719768,0x7ff940719778
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=324 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:2
  2⤵
  PID:2780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:8
  2⤵
  PID:5024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3048 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:1
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4944 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2864 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:8
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:8
  2⤵
  PID:472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3796 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=952 --field-trial-handle=1868,i,8129443814319233679,6031324840822922990,131072 /prefetch:8
  2⤵
  PID:4192

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3212

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x49c 0x2f8
1⤵
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
03a5e4a8488f06955e7d49f66722dce5

SHA1
2cbc2b5bd86f7f75b4a970e8d80cbc0d3c3441bd

SHA256
8d6bb14146ae3e92396fae55cedfa4e3b9e276368710f3279525b494be000a88

SHA512
3ea32eb6c1c36b3ec6e6c51e8a67ef62921d0fcfad2cbc16b14904d39903f14f2c6b162284fd9858052b669e53662e394974db7286560c1c3c7f78439cb808fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a402153a4b46afad1c364435e085427d

SHA1
4608213619dd75b8f35e4a3d4d6ad296392f8a84

SHA256
677182ca24006b0cc9cf7a6dadfea7c269e98c1b09934c8221cc3076fe7f52e7

SHA512
66698b533bdaf16b2996c0c31fa6891f20c42afa43829209c09c4347fc62c6b60b3c419897857fec0ad148b187e6299ec7711d71039bffa5e95d1ec75d81ba82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4b83792d69b711fbadd12b39dba96c7f

SHA1
e17b9cb254873396e8eff8f7123d679bd9402944

SHA256
70e45aec4b08c0e972cbf7e724d900ab7f4eabccd2f8cb8bd98867fab085f6b4

SHA512
7ca30fe83f231f59b87a2f31925696b4ff8c5f84d787d2c70b7870160ae8ffd2da289b48d307c42d9f1371c648fc8361cf5221d75d5b6138e6fd8be5257c9cd9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
f7fd363c7be24be5f77133732960d15f

SHA1
2bb3983032409a782ebf6ebd79952bfe3c35cb29

SHA256
644bd85ef410f5f96a3daf92c9d3fb6bc38b88e28d9dfb64b98091b30bcec542

SHA512
dc0f775e566b3e8c76b550d976b654ad3d2b7a8f1a6436f5fda4cd3ae601de99816bc32e1e441c7e8c8caf53d1a6c0bad144ec533580bf5641448950c118806c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
a685e7ef3ff76f1748ca1416afb1e557

SHA1
c9ba7924b2f1a413aec47ecf2b6e1e661d2df5e9

SHA256
c41a7bc31c0ffe74bd2717d71fbcdc2f274f50e33926406bd98fb8fd615b5efe

SHA512
74dc7c3050a8ba826db6e8ca901d84f0177e791e57990de942c7bd35dbee47f2c7dacee13d04dab8f8d7189598a468435049ac43956e0468a39206770893910f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ba0cea0669ee5ef289680b83f9ba6a75

SHA1
b27c0e52bfa5bad06f75bef260f0a1cd0cc9af12

SHA256
eddcd4596b017401ba3ded0ce71795ec3d2cc67a1455bc44faf200bc91d5c48d

SHA512
7ce9a4d252e0a5e7a17da6783428f118f38aed3a6c5fb5e8f69eee1b85212a2a7d9a43e2b9738ec98dadda7e54b3344e2ad0ceb066375cbb03204c2be2fc8e4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b52f27b35dc33fb6d174fda244ce4483

SHA1
ed7e67f9bc25dab13e5bb589d4262becc2955e07

SHA256
1c372576906e3b83cfc1f800aab18cdacb5e00b1e6949b4eae5df81b70986742

SHA512
382cde2754190eac2138d2808c1c9db429b4d203f91bbb118a1e247354cf9b21f5cbb41fd3c997ec49baaef658d7ca9575713582d84cbad613e11b68f8b620a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
214KB

MD5
7b29ff61dd432e2672ccad3ed4e5e9a2

SHA1
25a61053aa6d6299849715dd7b9d81bcdb2009bf

SHA256
5a05dc6dc7a7f1ba909f004f36e0249b5d497a17d5fa6be0970c61d46bf93461

SHA512
4a55cabe311bdf794908eb330aa9546356509dfcbd93269d3d9eefd796effe37ce520358c94fa34e28532be3f865982248104ef7680a5fe2bdffdad782a83611

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit